[30981] in Kerberos
RE: Aqcuiring a TGT for a host/ principal using Active Directory
daemon@ATHENA.MIT.EDU (Wilper, Ross A)
Wed Apr 8 12:03:25 2009
Content-class: urn:content-classes:message
MIME-Version: 1.0
Date: Wed, 8 Apr 2009 09:00:56 -0700
Message-ID: <B9BF119F687A824C8A49C4E4ED695768016180F4@its-exchmb01.stanford.edu>
In-Reply-To: <gri6lb$mn8$1@ellebore.extra.cea.fr>
From: "Wilper, Ross A" <rwilper@stanford.edu>
To: "manu" <emmanuel.bouillon@cea.fr>, <kerberos@mit.edu>
Content-Type: text/plain; charset="iso-8859-1"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
There is a bug in Windows 2008 KDC that prevents any principal name with a "/" in it from authenticating from a non-Windows client.
KB Article Number(s): 951191
This is a public hotfix, but you may need to contact Microsoft to get the hotfix. The hotfix is included in SP2.
-Ross
-----Original Message-----
From: kerberos-bounces@mit.edu [mailto:kerberos-bounces@mit.edu] On Behalf Of manu
Sent: Wednesday, April 08, 2009 5:52 AM
To: kerberos@mit.edu
Subject: Re: Aqcuiring a TGT for a host/ principal using Active Directory
Hello,
You can try:
kinit -kt computerA.keytab COMPUTERA\$
For principals like host/..., cifs/..., HTTP/... created by default with
every computer account, AD only allows TS.
If you want a TGT you need to use the "real" principal name: COMPUTERA\$.
I don't think the step with ktpass is required.
Hoping this will help,
Best regards,
Emmanuel
John Hefferman a écrit :
> Dear All,
>
> I'm not sure if this is the correct place to ask this question - it
> involves the MIT kinit program, but also Active Directory as the KDC
> (Server 2008).
>
> The problem I am experiencing, is that I can't seem to 'kinit -k' using
> an spn of an instance type such as host/ when using an AD domain
> controller.
>
> The procedure is as follows:
> - I create a new account in active directory, such as 'computerA'
> - I run ktpass (or msktutil) to associate a host/ principal name with
> this account (host/computerA.fqdn@REALM) and create a keytab
> - I securely transfer this keytab to the Linux computer (if msktutil was
> not used)
> - I run kinit -kt computerA.keytab host/computerA.fqdn@REALM
>
> Kinit returns: kinit(v5): Client not found in Kerberos database while
> getting initial credentials
>
> Some additional information:
>
> - Ktpass args: -princ host/computerA.fqdn@REALM -mapuser computerA
> -pass +rndPass -out computerA.keytab
>
> - Name specified through -princ argument is definitely associated with
> computerA (checked in computerA's attribute list
>
> - kvno works against host/computerA.fqdn@REALM
>
> - computerA.keytab contains key and principal name specified through
> -princ
>
> - when kinit -k host/computerA.fqdn@REALM is executed, Active Directory
> event viewer logs (on the Domain Controller) shows the 'Account Name'
> that is attempting to acquire the TGT as 'host', instead of
> host/....@... It appears to omit anything that comes after the forward
> slash.
>
> - I've tried ktpass with all encryption types - same result.
>
> - Same result with user or computer objects in AD.
>
> - Same result when both -ptype's are specified when running ktpass
>
> Just wondering if anyone had had any experience with TGT acquisition and
> principal names containing forward slashes. No problem if this is the
> wrong place to ask. Maybe it's not even possible to do this with AD, but
> I doubt that's the case.
>
> Thanks in advance for any help,
>
> John
>
>
>
>
>
>
>
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
